Forticlient VPN Credentials Vulnerable

Individuals using Fortinet FortiClient for Windows, Mac OSX and Linux may be vulnerable to having their encrypted VPN credentials stolen and decrypted. This attack would allow threat actors to access any material that the user could access over a VPN connection. The vulnerable versions include version 4.4.2332 on Linux, version 5.6.0.1075 on Windows as well as version 5.6.0.703 on Mac OSX. A consulting company discovered the vulnerability earlier this year and, after assisting Fortinet with patching the issues, has released their technical review [1].

What we’re doing about it

eSentire Threat Intelligence will continue to monitor the situation for future releases and updates.

What you should do about it

Users should immediately update to the latest version of FortiClient

Version 5.6.1 for Windows

Version 5.6.1 for Mac OSX

Version 4.4.2335 for Linux

It is recommended to not save passwords and remove the read/write permissions of average users

Additional information

FortiClient makes use of a single hardcoded decryption key that remains the same across all instances and can be discovered in the binary. The configuration settings for read access are highly accepting and the file is world-readable. These two issues can be combined by an attacker to steal passwords of FortiClient clients on the system and decrypt them. At this time, the attack can only be conducted locally.

A proof of concept tool that automatically exploits the vulnerabilities has been created by researchers, but has not been publicly released at this time.